Right now, cybercriminals are setting their own New Year’s resolutions. 
They’re not thinking about self-care or work-life balance. They’re planning how to steal more in 2026. 

And guess what? Small businesses are at the top of their list. 
Not because you’re careless, but because you’re busy. And criminals love busy. 

Here’s their game plan for 2026—and how to ruin it. 

Resolution 1: “Send Phishing Emails That Look Real” 

The days of dodgy scam emails full of typos are over. 
AI now writes phishing emails that: 

• Sound professional 
• Use your company’s language 
• Reference real vendors you work with 
• Avoid obvious red flags 

They don’t need typos to trick you—they need timing. And January is perfect. Everyone’s distracted, catching up after the holidays. 

Example: 
“Hi [your name], I tried sending the updated invoice, but the file bounced back. Can you confirm this is still the right email for accounts? Here’s the new version—let me know if you have questions. Thanks, [actual vendor name].” 

Looks normal, right? That’s the point. 

Your counter-move: 

• Train staff to verify, not just read. Any request involving money or credentials gets confirmed through a separate channel. 
• Use email security tools that flag impersonation attempts. 
• Create a culture where questioning is praised, not punished. 

Resolution 2: “Impersonate Your Vendors… or Your Boss” 

This one is brutal because it feels real. 

• A vendor email: “We’ve updated our bank details. Please use this new account.” 

• A text from “the CEO”: “Urgent. Wire this now. I’m in a meeting.” 

And now, deepfake voice scams are rising. Attackers clone voices from videos or voicemails. The “CEO” calls your finance team asking for a quick favour—and it sounds exactly like them. 

Your counter-move: 

• Always verify bank changes via a known phone number. 
• No payment moves without voice confirmation through established channels. 
• Enable MFA (multi-factor authentication) on all finance accounts. 

Resolution 3: “Target Small Businesses Harder Than Ever” 

Big companies have tightened security. They’re harder to hack. So criminals pivoted. 
Instead of one $5 million attack, they go for a hundred $50,000 attacks. Easier. Faster. Lower risk. 

Small businesses are perfect targets because: 

• You have money worth stealing 
• You have data worth ransoming 
• You probably don’t have a dedicated security team 

And the belief that “we’re too small to be a target”? That’s their favorite vulnerability. 

Your counter-move: 

• Implement basics: MFA, updates, tested backups. 
• Stop thinking you’re too small. You’re not too small to be attacked—just too small to make the news. 
• Get professional help. You don’t need an enterprise security team, just a partner who’s watching your back. 

Resolution 4: “Exploit New Employee Season and Tax Chaos” 

January means new hires—and they don’t know your rules yet. They want to impress. They’re eager to help. Perfect targets. 

Tax season scams ramp up too: fake ATO emails and SMS messages, payroll and superannuation phishing, and bogus BAS or tax debt notices. 
Attackers impersonate your CEO or HR and ask for sensitive data. Once they have it, they file fraudulent tax returns before your employees do. 

Your counter-move: 

• Train new hires before they get email access. 
• Create clear policies: “We never send PAYG summaries or payroll information via email.” 
• Reward verification. The employee who double-checks should be praised, not made to feel paranoid. 

Preventable Beats Recoverable. Every Time. 

You have two choices: 
Option A: React after the attack. Pay the ransom, hire emergency help, notify customers, rebuild systems, repair your reputation. Cost: tens or hundreds of thousands. 
Option B: Prevent the attack. Implement security, train your team, monitor threats. Cost: a fraction of Option A. 

You don’t buy a fire extinguisher after the building burns. You buy it so you never need it. 

How to Ruin Their Year 

A good IT partner keeps you off the “easy target” list by: 

• Monitoring systems 24/7 
• Tightening access and credentials 
• Training your team on modern scams 
• Setting verification policies for payments 
• Maintaining and testing backups 
• Patching vulnerabilities before criminals exploit them 

That’s fire prevention, not firefighting. 

Cybercriminals are optimistic about 2026. They’re counting on businesses like yours to be unprepared. Let’s disappoint them. 

Take Your Business Off Their Target List 

Book a New Year Security Reality Check. 
We’ll show you where you’re exposed, what matters most, and how to stop being low-hanging fruit. 

No scare tactics. No jargon. Just clarity. 

https://bluereef.com.au/contact or call us on 08 8922 0000. 

Because the best resolution is making sure you’re not on someone else’s list. 

Support Links

Support Portal

Support Articles

Systems Status

Communication Services Account Portal

Other Links

Referral Program

Trading Terms & Policies

Community engagement

Careers & employment

Search website

© 2008 - 2020 BlueReef Technology (Tropical Business Solutions Pty Ltd)